Privacy Code

INTRODUCTION

Prince Edward Island Mutual Insurance Company is concerned about the protection of personal information of its’ customers" (as defined in this Code). PEI Mutual has adopted this Code and agrees to adhere to the principles in this Code and may adopt additional measures for the protection of privacy of personal information.

This Code shall be deemed a set of principles respecting the manner in which PEI Mutual protects the privacy of customers.

The Code addresses two broad issues: the way the Company shall collect, use, disclose and protect personal information; and the right of customers to have access to personal information about themselves and, if necessary, to have the information corrected. Ten interrelated principles form the basis of the Code. Each principle is accompanied by a commentary that elaborates on the principle.

This Code:

(a) provides principles for the management of personal information;

(b) specifies the minimum requirements for the adequate protection of personal information held by the Company;

(c) makes the public aware of how personal information is protected by PEI Mutual;

(d) as designed by the IBC, provides standards by which the international community can measure the protection of personal information by P&C insurers in Canada; and 

(e) provides for independent mediation when PEI Mutual and it’s customers disagree about Customer Access (Principle 9). Insurance Bureau of Canada will assist the parties in arranging such independent mediation.


PRINCIPLES IN SUMMARY

Ten interrelated principles form the basis of this Code. Each principle must be read in conjunction with the accompanying commentary.

1. Accountability
PEI Mutual is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the Company’s compliance with the following principles.

2. Identifying Purposes
The purposes for which personal information is collected shall be identified by the Company at or before the time the information is collected. 

3. Consent
The knowledge and consent of the customer are required for the collection, use, or disclosure of personal information, except where inappropriate. 

4. Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes identified by the Company. Information shall be collected by fair and lawful means.

5. Limiting Use, Disclosure and Retention
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the customer or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.

6. Accuracy 
Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

7. Safeguards
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

8. Openness
PEI Mutual shall make readily available to customers specific information about its policies and practices relating to the management of personal information.

9. Customer Access 
Upon request, a customer shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. A customer shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

10. Challenging Compliance
A customer shall be able to challenge compliance with the above principles with the person who is accountable within the Company. 


1. SCOPE

1.1 
This Code describes the minimum requirements for the protection of personal information. Any applicable legislation must be considered in implementing these requirements.


1.2 
This Code applies to personal information relating to "customers" as defined in 2.1.


1.3 
The objective of this Code is to assist PEI Mutual in developing and implementing policies and practices to be used when managing personal information.


2. DEFINITIONS

2.1
The following definitions apply in this Code:

"Collection" - the act of gathering, acquiring or obtaining personal information from any source, including from third parties, by any means. Personal information necessary to carry on the business of Property and Casualty (P&C) Insurance may be collected by PEI Mutual or it’s authorized agents. 

"Consent" - voluntary agreement with what is being done or proposed. Consent can be either express or implied. Express consent is given explicitly, either orally or in writing. Express consent is unequivocal and does not require any inference on the part of the insurer seeking consent. Implied consent arises where consent may reasonably be inferred from the action or inaction of the customer. See commentary in 4.3.1. 

"Customer" - individuals about whom PEI Mutual collects personal information in order to carry out the business of Property and Casualty insurance; and includes individuals who are insureds, former insureds, applicants, claimants, individuals involved in a claim, and individuals insured as part of a group or corporate policy.

"Customer" does not include commercial and corporate entities, or individuals carrying on business in sole proprietorships, in partnerships or in other associations.

"Disclosure" - making personal information available to others outside of PEI Mutual.

"P&C insurers" - Property & Casualty insurers licensed in Canada to write any class of insurance other than life insurance. 

"PEI Mutual" – Prince Edward Island Mutual Insurance Company, otherwise identified herein as “the Company”.

"Personal information" - information about a customer that is recorded in any form. It may include an individual's name, address, telephone number, date of birth, family status, marital status, occupation, medical and health records, assets, liabilities, income, credit rating, whether or not credit was extended or refused to the individual, credit and payment records of the individual, an individual's previous insurance experience including claims history, and an individual's driving record. 

"Use" - treatment and handling of personal information within PEI Mutual.


3. GENERAL REQUIREMENTS

3.1 
The ten principles that make up this Code are interrelated. PEI Mutual in adopting this Code shall adhere to the set of ten principles as a whole. 


3.1.1 
Each principle is followed by a commentary. The commentaries are intended to help customers of PEI Mutual understand the significance and the implications of the principles. Where there is also a "NOTE" following a principle (see principles 3 and 9), it forms an integral part of the principle.


3.1.2
Although the following clauses use prescriptive language (that is, the words "shall" or "must") this document is a voluntary Code. PEI Mutual in adopting the principles and general practices contained in the Code will treat the clauses containing prescriptive language as requirements. The use of the word "should" indicates a recommendation.


3.1.3
Use of the singular does not exclude the plural (and vice versa) when the sense allows.


4.1 PRINCIPLE 1: ACCOUNTABILITY

PEI Mutual is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the Company's compliance with the following principles.

4.1.1 
Accountability for PEI Mutual’s compliance with the principles rests with the designated individual(s) even though other individuals within the Company may be responsible for the day-to-day collection and processing of personal information. In addition, other individuals within the Company may be delegated to act on behalf of the designated individual.


4.1.2
The identity of the individuals designated by PEI Mutual to oversee the Company’s compliance with the principles shall be available upon request. 


4.1.3
PEI Mutual is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The Company should use contractual or other means to provide a comparable level of protection while the information is being processed by a third party. 


4.1.4
PEI Mutual shall implement policies and practices to give effect to the principles, including:

(a) implementing procedures to protect personal information; 

(b) establishing procedures to receive and respond to complaints and inquiries;

(c) training staff and communicating to staff information about the Company’s policies and practices; and

(d) developing information to explain the Company’s policies and procedures.


4.2 PRINCIPLE 2: IDENTIFYING PURPOSES

The purposes for which personal information is collected shall be identified by PEI Mutual before or at the time the information is collected.

4.2.1 
PEI Mutual shall collect personal information only for the purposes of:

establishing and maintaining communications with customers;
underwriting risks on a prudent basis;
investigating and paying claims;
detecting and preventing fraud;
offering and providing products and services to meet customer needs;
compiling statistics;
complying with the law; and
a business or activity which it may undertake under applicable federal, provincial or territorial legislation.


4.2.2
PEI Mutual understands that the information it needs to collect to fulfill the purposes referred to in 4.2.1. requires the Company or its designates to collect only that information necessary for the identified purposes. 

4.2.3
The identified purposes should be communicated to customers or other persons from whom the personal information is being collected. This can be done orally or in writing, as for example, on an application form or through pamphlets or other suitable media.

4.2.4
When personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified before use. Unless the new purpose is required by law, the consent of the customer is required before information can be used for that purpose.

4.2.5
Persons collecting personal information should be able to explain to customers the purposes for which the information is being collected. 



4.3 PRINCIPLE 3: CONSENT

The knowledge and consent of the customer are required for the collection, use, or disclosure of personal information, except where inappropriate.

NOTE: In certain circumstances personal information can be collected, used or disclosed without the knowledge and consent of the customer. For example, legal, medical or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the customer might defeat the purpose of collecting the information. Seeking consent may be impossible or inappropriate when the customer is a minor, seriously ill, or mentally incapacitated. In addition, where there is no direct relationship with the customer, the PEI Mutual may not always be able to seek consent. However, when certain types of information are being collected, such as medical or hospital records, employment records or income tax records, the Company will obtain express consent from the customer. 

4.3.1
The Property & Casualty insurance business has the following unique features which make express consent impossible to obtain:

As a convenience to it’s customers, PEI Mutual often provides insurance or amendments to existing policies over the telephone, on short notice and with little written documentation. In these circumstances, it is impossible for the Company to obtain express written consent from customers.
PEI Mutual may have a legal duty to defend it’s policyholders against claims made by third party claimants. In such situations, the Company and the third party claimants are adverse parties. In order to fulfil it’s obligations to it’s policyholders, PEI Mutual must collect, use and disclose personal information about such third party claimants that is relevant to the claim even if the third party claimants have not given their consent. 

Given these constraints, it is reasonable for the Company to infer that by dealing with them on insurance related matters, customers have given implied consent for the collection, use or disclosure of personal information necessary for the identified purposes (see 4.2.1). 

4.3.2
The following are situations specific to the property & casualty insurance business where consent is not required for the collection, use and disclosure of personal information:

(a) Legal
Collection of personal information for the detection and prevention of fraud.
Compliance with subpoenas, search warrants, and other court or government orders.

In either of these situations obtaining consent might defeat the purpose of collecting the information.

(b) Duty to Defend
PEI Mutual will transfer the personal information of customers to lawyers retained by the Company pursuant to the contractual obligation in the insurance policy to defend legal actions against their insureds.


(c) Public Duty
In exceptional circumstances, the Company may, under a public duty, disclose personal information to appropriate authorities in matters of significant public interest.


(d) Medical and Other
Where the customer is a minor, seriously ill, or mentally incapacitated, seeking consent may be impossible or inappropriate.


4.3.3
Consent is required for the collection of personal information and the subsequent use or disclosure of this information. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use (for example, when the Company wants to use information for a purpose not previously identified).

4.3.4
The principle requires "knowledge and consent". This suggests that the Company shall make a reasonable effort to ensure that the customer is advised of the purposes for which the information will be used. The purposes shall be stated in a manner that can be reasonably understood by the customer. 

4.3.5
PEI Mutual may not, as a condition of the supply of a product or service, require a customer to consent to the collection, use or disclosure of information beyond that required to fulfill the specified, explicit and legitimate purposes. The Company should explain to the customer the information requirements that are related to the product or service. In so doing, PEI Mutual has provided a specified, explicit and legitimate purpose. The Company can then refuse to deal with a customer who will not consent to the collection, use and disclosure of the information for the specified, explicit and legitimate purpose. For example, the Company provides insurance at specified rates and on certain terms and conditions based on, among other things, analysis of an individual's personal information, including date of birth, address, and claims history. If this information is not obtained, the Company cannot determine the basis for insurance coverage and, therefore, cannot provide insurance to the customer. Consent shall not be obtained through deception.

4.3.6
There are certain types of information where the express written consent of the customer will be obtained for the collection, use or disclosure of personal information. For example, medical or hospital records, employment records or income tax returns.

4.3.7
A customer should reasonably expect that PEI Mutual will use personal information in making its decisions on the customer's insurability and in adjusting the customer's claim. On the other hand, a customer would not reasonably expect the Company to give accident information to car sales companies to solicit individuals for the purchase of a new car if the customer's car had incurred extensive damage in an accident.

4.3.8
Consent can be given by an authorized representative (such as, person having a power of attorney, or legal guardian). Consent can also be given by an individual on behalf of another individual. For example, where an individual applies for automobile insurance for himself and family members, the applicant is giving consent for the collection, use and disclosure of personal information both for himself and his family members even though the family members are not present during the application process. A similar situation arises where an employer, on behalf of its employees, applies for or renews a group or fleet insurance policy which provides insurance benefits to the employees even though the employees are not present during the application or renewal process. 

4.3.9
Where PEI Mutual seeks express consent, it can be given in many ways. For example:

(a) An application form may be used to seek consent, collect information and inform the customer of the use that will be made of the information. By completing and signing the form, the customer is giving consent to the collection and the specified uses.

(b) A check-off box may be used to allow customers to request that their names and addresses not be given to other organizations for marketing purposes. Customers who do not check the box are assumed to consent to the transfer of this information to third parties.

(c) Consent may be given orally when information is collected over the telephone.

(d) Consent may be given by agreement, or action on the part of the customer, to use, acquire or accept a product or service.

4.3.10
Consent is valid for the length of time needed to achieve the identified purposes. The customer may withdraw consent on reasonable notice, subject to legal or contractual restrictions and the requirement that PEI Mutual maintain the integrity of the statistics and data necessary to carry on their business. The Company should inform the customer of the implications of such withdrawal.


4.4 PRINCIPLE 4: LIMITING COLLECTION

The collection of personal information shall be limited to that which is necessary for the purposes identified by PEI Mutual. Information shall be collected by fair and lawful means.

4.4.1
PEI Mutual shall not collect personal information indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfil the purposes identified. The Company obtains personal information primarily from insurance customers, but also from others including other P&C insurers, brokers, and underwriting or claims information networks. The Company should specify the type of information collected as part of their information handling policies and practices in accordance with Principle 8 - Openness.

4.4.2 
The requirement that personal information be collected by fair and lawful means is intended to prevent the Company from collecting information by misleading or deceiving individuals about the purpose for which information is being collected. This requirement implies that consent with respect to collection must not be obtained through deception.


4.5 PRINCIPLE 5: LIMITING USE, DISCLOSURE AND RETENTION

Personal information shall not be used or disclosed for purposes other than those for which the information was collected, except with the consent of the customer or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes. 

4.5.1
There are situations specific to the Property & Casualty insurance business where PEI Mutual will disclose personal information as dictated by prudent insurance practices. For example:

(a) Risk-Sharing: As part of the underwriting and claims handling process, the company transfers personal information to other insurance companies including reinsurance companies which share in the risk. This would include situations where the customer has made a fraudulent application for or renewal of a policy of insurance.

(b) Information Services: PEI Mutual discloses personal information for underwriting, claims, classification and rating purposes.

(c) Insurance Services: PEI Mutual discloses personal information to businesses that provide goods and services to insurance companies and/or their customers, such as data processors, loss control managers and claims adjusters.

(d) Insurance Intermediaries: PEI Mutual may disclose personal information to their insurance intermediaries, such as brokers and agents.

Only the information necessary for these services will be provided by the Company to these service providers.

4.5.2
When PEI Mutual uses personal information for a new purpose, it must document this purpose.

4.5.3
PEI Mutual should develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods. Personal information that has been used to make a decision about a customer shall be retained long enough to allow the customer access to the information after the decision has been made. The Company may be subject to legislative requirements with respect to retention periods.

4.5.4
Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased or made anonymous. The Company should develop guidelines and implement procedures to govern the destruction of personal information.


4.6 PRINCIPLE 6: ACCURACY

Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

4.6.1
The extent to which personal information shall be accurate, complete and up-to-date will depend upon the use of the information, taking into account the interests of the customer. Information shall be sufficiently accurate, complete and up-to-date, to minimize the possibility that inappropriate information may be used to make a decision about the customer.

4.6.2
PEI Mutual should not routinely up-date personal information unless this is necessary to fulfil the purposes for which it was collected. 

4.6.3
Personal information that is used on an on-going basis, including information that is disclosed to third parties, should generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.


4.7 PRINCIPLE 7: SAFEGUARDS

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

4.7.1 
The security safeguards must protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. PEI Mutual is expected to protect personal information regardless of the format in which it is held.

4.7.2 
The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution and format of the information and the method of storage. More sensitive information should be safeguarded by a higher level of protection. 

4.7.3 
The methods of protection should include:

(a) physical measures, such as locked filing cabinets and restricted access to offices;

(b) organizational measures, such as security clearances and limiting access on a "need to know" basis; and

(c) technological measures, such as the use of passwords and encryption. 

4.7.4 
PEI Mutual shall make it’s employees aware of the importance of maintaining the confidentiality of personal information. 

4.7.5 
Care shall be used in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information. 


4.8 PRINCIPLE 8: OPENNESS

PEI Mutual shall make readily available to customers specific information about its policies and practices relating to the management of personal information.

4.8.1
PEI Mutual shall be open about it’s policies and practices with respect to the management of personal information. A customer should be able to acquire information about the Company’s policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable.

4.8.2
The information made available shall include:

(a) the title, address and telephone number of the person who is accountable for the Company’s policies and practices and to whom complaints or inquiries can be forwarded; 

(b) the means of gaining access to personal information held by the Company;

(c) a description of the type of personal information held by the Company, including a general account of its use;

(d) a copy of any brochures or other information explaining the Company’s policies, standards or codes; and 

(e) what personal information is made available to related organizations, such as subsidiaries.

4.8.3
PEI Mutual may make information on its policies and practices available in a variety of ways. The method chosen will depend on the nature of its business and other considerations. For example, the Company may choose to make brochures available in its place of business, mail information to its customers, provide on-line access, or establish a toll-free telephone number.


4.9 PRINCIPLE 9: CUSTOMER ACCESS

Upon request, a customer shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. A customer shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. 

NOTE: In certain situations, PEI Mutual may not be able to provide access to all the personal information it holds about a customer. Exceptions to the access requirement should be limited and specific. The reasons for denying access should be provided to the customer upon request. Exceptions may include prohibitive cost, personal information that contains references to other individuals, information that cannot be disclosed for legal, security or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege. 

4.9.1
Upon request, PEI Mutual shall inform a customer whether or not the Company holds personal information about the customer. The Company is encouraged to indicate the source of this information. The Company shall allow the customer access to this information. However, the Company may choose to make sensitive medical information available through a medical practitioner. In addition, the Company should provide an account of the use that has been made or is being made of this information and an account of the third parties to which it has been disclosed. If such a request is denied, the customer shall have the right to be given reasons, for the denial and information on how to challenge such denial including:

(a) an invitation to the customer to send a letter to the Company’s President requesting reconsideration of such denial;

(b) a commitment by the Company to open promptly a dialogue with the customer; and

(c) a commitment by the Company to participate in an independent mediation process should the parties be unable to resolve the dispute. Insurance Bureau of Canada will assist the parties in arranging this independent mediation.

4.9.2
A customer may be required to provide sufficient information to permit the Company to provide an account of the existence, use, and disclosure of personal information. The information provided shall only be used for this purpose.

4.9.3
In providing an account of third parties to which it has disclosed personal information about a customer, the Company should attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about a customer, the Company should provide a list of organizations to which it may have disclosed information about the customer.

4.9.4
PEI Mutual shall respond to a customer's reasonable request within a reasonable time and at minimal or no cost to the customer. The requested information shall be provided or made available in a form that is generally understandable. For example, if the Company uses abbreviations or codes to record information, an explanation shall be provided.

4.9.5
When a customer successfully demonstrates the inaccuracy or incompleteness of personal information, the Company must amend the information as required. Depending upon the nature of the information challenged, amendment could involve the correction, deletion or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question.

4.9.6
When a challenge is not resolved to the satisfaction of the customer, the substance of the unresolved challenge should be recorded by the Company. When appropriate, the existence of the unresolved challenge should be transmitted to third parties having access to the information in question.


4.10 PRINCIPLE 10: CHALLENGING COMPLIANCE

A customer shall be able to challenge compliance with the above principles with the person who is accountable within PEI Mutual. 

4.10.1
The individual accountable for the Company’s compliance is discussed in 4.1.1. 

4.10.2
PEI Mutual shall put procedures in place to receive and respond to complaints or inquiries about its policies and practices relating to the handling of personal information. The complaint process should be easily accessible and simple to use.

4.10.3
PEI Mutual shall inform customers who make inquiries or lodge complaints of the existence of relevant complaint mechanisms. A range of these mechanisms may exist. For example, some regulatory bodies accept complaints about the personal information handling practices of the companies they regulate. 

4.10.4
PEI Mutual shall investigate all complaints. If a complaint is found to be justified through either the internal or external complaint review process, the Company shall take appropriate measures, including amending its policies and practices if necessary. 

4.10.5
Insurance customers of provincial Property & Casualty insurers may contact the provincial Superintendent of Insurance at the address shown below:

Superintendent of Insurance
Department of Justice
Box 2000, 105 Rochford Street
Charlottetown, PE C1A 7N8